Focus on IDS
Setting up Arcsight/Tripwire Apr 07 2009 08:15AM
venkatesh selvaraju gmail com (2 replies)
Re: Setting up Arcsight/Tripwire Apr 07 2009 10:10PM
Randal T. Rioux (randy procyonlabs com) (2 replies)
Re: Setting up Arcsight/Tripwire Apr 08 2009 07:21PM
Mike Lococo (mikelococo gmail com)
Re: Setting up Arcsight/Tripwire Apr 08 2009 07:20PM
Aseem Kumar (kumaraseem gmail com) (1 replies)
RE: Setting up Arcsight/Tripwire Apr 08 2009 08:54PM
David Henning (David Henning hughes com)
SPLUNK does not bill themselves as a SIEM(SIM, SEM, whatever the marketing name of the week) tool. They can take in logs and generate reports. They don't care what you throw at them as long as it is text based (i.e. they can monitor TOP, ps, or other scripted command outputs). They have the ability to parse and search information stored in a flat file format (i.e. Google for your log data). They do not have the ability to create tickets, track an incident, and other features that traditional SIEM tools offer.

I can't speak directly about Arcsight other than we did not choose them because the pre-sales support wasn't there for us in 2004. I did feel they would have shown to be the superior technology of the day, but that is 5 years ago.

I was about to rant about a competitor to Arcsight we used for a time but decided not to. It was too long. That competitor is being replaced with SPLUNK because SPLUNK fits our environment and needs better. The best answer to your question is to do a bake-off internally with both products. Really look at your particular use scenario. Look at the types of resources you have internally to manage the care and feeding of the product, keeping it updated as your security devices generate new logs from their updates. Some environments are better served by 'appliance' solutions, some by the ability to tailor the product as you see fit. What features do you really need? Just log, alert, report or also creating tickets on the fly, complex correlation, etc. Will it be 100% in house or a managed service?

David Henning

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Aseem Kumar
Sent: Wednesday, April 08, 2009 3:21 PM
To: focus-ids (at) securityfocus (dot) com [email concealed]
Subject: Re: Setting up Arcsight/Tripwire

Is SPLUNK also similar to ArcSight, as it also captures different logs
and provides reports.
If they both are similar....then which one is better suited in terms
of easy implementation/configuration.

Regards
Aseem

[ reply ]
Re: Setting up Arcsight/Tripwire Apr 07 2009 04:26PM
Paul Schmehl (pschmehl_lists tx rr com) (2 replies)
Re: Setting up Arcsight/Tripwire Apr 18 2009 03:05PM
Stephen Mullins (steve mullins work gmail com)
RE: Setting up Arcsight/Tripwire Apr 08 2009 04:48PM
Rivera, Angel L. (arivera mitre org)


 

Privacy Statement
Copyright 2010, SecurityFocus